Current Activity Calendar

	July 2003
Su	M	Tu	W	Th	F	Sa
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

Please click on a date above to see current activity for that day.

Latest Current Activity

July 23, 2003 - Current Activity

This is an archived copy of current activity, if you would like to see the most recent version, please click here.

*new*	Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)
	W32/Sobig.E
	Reports of TCP scanning with window size 55808
	W32/BugBear.B

Attempts To Exploit Cisco IOS Interface Blocked Vulnerabilities (VU#411332)
added July 18

The CERT/CC has received reports of activity consistent with attempts to exploit the Cisco IOS Interface Blocked Vulnerabilities described in CERT Advisories CA-2003-15 and CA-2003-17. To date, we are unaware of any sites whose operations have been interrupted by these attempts. Sites are strongly encouraged to read these two advisories, and take any actions necessary to protect their networks.

CERT Advisory CA-2003-15, "Cisco IOS Interface Blocked by IPv4 Packet"
http://www.cert.org/advisories/CA-2003-15.html
CERT Advisory CA-2003-17, "Exploit Available for the Cisco IOS Interface Blocked Vulnerabilities"
http://www.cert.org/advisories/CA-2003-17.html

W32/Sobig.E
added June 26

The CERT/CC has received reports of a variant of the Sobig mass-emailing worm, referred to as "W32/Sobig.E." It arrives as an attachment with a .zip extension. Within that .zip file is a file with either a .scr or .pif extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in files with a .wab, .dbx, .htm, .html, .eml, or .txt file extension. Additionally, this worm spoofs the "From" address, therefore it is likely that the sender address is not that of the infected user.

Upon execution, the worm places the following files in the "%Windir%" directory:

winssk32.exe (copy of worm)

msrrf.dat (configuration file)

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SSK Service"="%Windir%\winssk32.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SSK Service"="%Windir%\winssk32.exe"

The worm also attempts to propogate by copying itself to the following folders:

Documents and Settings\All Users\Start Menu\Programs\Startup\

Windows\All Users\Start Menu\Programs\StartUp\

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above.

You may also wish to visit the CERT/CC's computer virus resources page.

Reports of TCP scanning with window size 55808
added June 24

In recent weeks, there have been numerous accounts of activity surrounding TCP packets with a window size of 55808. Initial reports of this activity received by the CERT/CC indicate that the Selective Acknowledgement bit is set and the window scale option is set to 2. Selective Acknowledgments are described in more detail in RFC2018 "TCP Selective Acknowledgment Options"; the window scale field is described in RFC1323 "TCP Extensions for High Performance". The window scale value designates the number of bits that the window size value should be shifted in order to compute the actual window size. Thus, with a window size of 55808 and a scale of 2, the actual window size being requested is 223,232 bytes.

To date, there are several pieces of malicious code that have been identified capable of generating traffic with a window size of 55808. This includes the "Stumbler" malicious code reported by Internet Security Systems (ISS) and "55808 Trojan - Variant A" described by Intrusec on June 19, 2003. We have also received reports that a variant of a common IRC bot (sdbot) is capable of generating TCP packets with a window size of 55808. A previous variant of the sdbot malicious code was mentioned briefly in CA-2003-08.

Analysis indicates that while these various pieces of malicious code will generate TCP packets with a window size of 55808, not all of them set the window scale option. This is an important detail because it indicates that there may be multiple artifacts responsible for generating the reported traffic.

We are tracking this activity as incident CERT#26124, and are interested in receiving reports thereof. Relevant artifacts or activity can be sent to cert@cert.org with "CERT#26124" in the subject line.

W32/BugBear.B
added June 5

The CERT/CC has received reports of a variant of the BugBear mass-emailing worm, referred to as "W32/BugBear.B", "W32/Kijmo" or "W32/Shamur". It arrives as an attachment with a .pif, .scr, or .exe extension. Upon opening the attachment, the worm attempts to mail itself to all e-mail addresses it finds in the current inbox and in files with a .dbx, .eml, .mbx, .mmf, .nch, .ocs, or .tbb file extension. Additionally, this worm has a built-in keylogger, a backdoor that listens on port 1080/tcp, and attempts to terminate numerous security product processes on the system.

The worm also attempts to propogate by copying itself to the following folders on the local machine as well as other machines that it has access to using a random file name:

Windows\Start Menu\Programs\Startup\[random_name].exe when executed on a Windows 95/98/Me-based system

Documents and Settings\<current user name>\Start Menu\Programs\Startup\[random_name].exe when executed on a Windows NT/2000/XP-based system

The CERT/CC strongly encourages users to install anti-virus software, and keep its virus information files up-to-date.

Users may also wish to consider filtering email attachments with the extensions listed above and to monitor traffic destined for port 1080/tcp.

You may also wish to visit the CERT/CC's computer virus resources page.